The European Union has one primary over-arching data law that covers the entire EU (and reaches non-European countries that collect and store personal data on European citizens). The United States has historically taken a different approach to data laws – individual responses to specific concerns.

The result is that while the EU has one basic law covering data protection, privacy controls and breach notification (GDPR), the U.S. has a patchwork of state and federal laws, common law and public and private enforcement that has evolved over the last 100 years and more.

Every state now has its own breach notification law. California started the ball rolling in 2003 with the first state legislation. Now 48 US states, the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have enacted their own data breach notification laws that require affected individuals to be notified in the event of an information security breach. South Dakota introduced its first breach notification law this year.

The problem for U.S. business is that there is currently no absolute standard, and no federal law – although there are separate sector-specific requirements. In November 2018, chip giant Intel published a draft model federal bill that it calls the "Innovative and Ethical Data Use Act of 2018," to improve protection of personal privacy through nationwide standards.

In general, these laws have been expanded over the years to include more specific data and privacy requirements. For example, on September 1, Colorado’s new HB 18-1128 came into force, requiring formal information security policies as well as increased oversight of third parties.

Now California is again leading the way with its new California Consumer Privacy Act (CCPA) enacted on June 28, 2018 (and due to come into force on January 1, 2020). CCPA has some alignment with GDPR, but remains different. For example, it includes exemptions for small businesses: it only applies to companies with more than $25 million in annual gross revenue, or those that collect personal information from more than 50,000 consumers, or derive more than 50% of revenue from the sale of personal information.

Nevertheless, it is the most stringent of the U.S. state level data protection laws and is expected to be followed by other states before it comes into force. It is also fair to say that it is driving a backlash among the tech giant firms, who, for the first time ever, are now lobbying in favor of a federal data protection law.

Federal versus State

2018 has seen a resurfacing of interest in a federal data protection law. It is worth remembering, however, that while state government tends to concentrate on the wishes of the electorate (that is, on consumers), the federal government tends to concentrate on the national economy (that is, on business).

According to the New York Times (August 2018), “In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.”

Federal concern over stringent state legislation is not uncommon. In September, the Justice Department sued California to stop the state’s new net neutralitybill shortly after it was signed by California Gov. Jerry Brown.

Attorney General Jeff Sessions said at the time, “States do not regulate interstate commerce – the federal government does. Once again the California legislature has enacted an extreme and illegal state law attempting to frustrate federal policy.”

At a stretch, that comment could be applied to data protection and breach notification state laws where a third-party state with milder laws could have the commerce of its indigenous businesses affected by California’s new law.

This roll-back of consumer-centric state laws to a business-centric federal law seems to be what companies like Facebook, Google and Microsoft are targeting.

On September 24, the Electronic Frontier Foundation wrote to the Committee on Commerce, Science, & Transportation. “EFF submits this letter to the Senate Commerce Committee to detail the dangers to individual user privacy posed by industry suggestions that Congress should wipe the slate clean of state privacy laws through pre-emption,” it said.

“The Committee should understand that the only reason many of these companies seek congressional intervention now, after years of opposing privacy legislation both federally and at the states, is because state legislatures and attorney generals have acted more aggressively to protect the privacy interest of their states’ residents, in many cases over their objections.”

The likelihood of a federal privacy law

“Given the series of privacy-related scandals over the past few months,” Dana Simberkoff, chief risk, privacy and information security officer at AvePoint told SecurityWeek, “we now face a strong likelihood that the U.S. will move forward with federal privacy legislation in one form or another. There has long been speculation that the need for a federal data privacy policy would finally be realized only after the ‘perfect storm’ occurred – which is what we see happening in the privacy landscape today.”

This perfect storm, she suggests, has arrived in the form of GDPR together with the European regulators (“the most aggressive privacy regulators in the world”); the failure of U.S. firms to prevent massive privacy scandals (such as Facebookand Equifax); and the rise of aggressive state-level legislation such as California’s CCPA.

Perhaps just as importantly, she adds, “In a non-binding vote on July 5, the European Parliament called for the Privacy ShieldData Transfer Arrangement between the European Union and the U.S. to be suspended later this year due to the U.S.’s failure to implement all of its obligations under the agreement.”

Advantages and disadvantages of relying on state-level regulations

National laws reflect what the national government perceives to be beneficial to the nation. This usually means encouraging business and business innovation. State laws more closely reflect the wishes of consumers.

There is an immediate conflict of interest here. In an age of big data, big business makes money from using and selling personal data, while consumers have an innate desire for privacy and a distrust of big business. For example, a survey of 1000 Americans conducted by BestVPN this month found that 87.5 percent of respondents, regardless of age and gender, are ‘slightly’ to ‘very concerned’ about the privacy of their personal data online. It is state government rather than federal government that is most likely to prioritize such consumer concerns.

“US state-level data protection and breach notification laws involve the data controllers and processors (i.e. the companies and their partners), the affected individuals, law enforcement, and State Attorneys General as stakeholders,” explains Rishi Bhargava, Co-founder at Demisto. “The onus of protection and notification is placed upon the data collectors, with conditions placed upon individual/public notification, when to inform legal authorities, and so on.”

Individual states can, he added, “include or modify requirements that align with the political, social, and technological nuances of that particular state.” And there’s the problem for business. The state laws differ among themselves in their definition of covered entities, the granularity of information to be included in a breach notification, the triggering conditions, the time limits and much more.

It is worth remembering that one of the primary drivers behind the development of GDPR was to provide a single data protection regulation across the entire European market for the benefit of both business and consumers.

In the U.S. right now, large organizations must navigate 50 state laws, and numerous international laws such as GDPR. Separate from the state and international laws, comments David Ginsburg, VP of marketing at Cavirin, “there are federal laws that cover specific verticals. For example, Gramm-Leach-Bliley for finance, HIPAA for healthcare, the Fair Credit Reporting Act for consumer credit rating, the Family Education Rights and Privacy Act for education, and others. Note that there are also actions in congress to tighten laws for some of these verticals. For example, breach notification and penalties for credit reporting agencies on the back of the Equifax fiasco.”

A way forward

The requirement for a federal data protection and privacy regulation has never been greater. It will probably happen – but the question is whether a federal government can find a way of satisfying both business and consumers; and, it should be said, the European Union who will demand some degree of equivalence with GDPR to maintain the Privacy Shield.

One solution would be to mirror GDPR itself at a federal level. This would make concerns over trade and Privacy Shield obsolete. It would probably satisfy most consumers, but would bring the full force and power of big business lobbying against it – and the national government will seek to accommodate business concerns.

The likelihood is a watered-down data protection and privacy regulation. Business will seek for it to pre-empt the state laws – which the states and privacy activists will oppose. “The Supremacy Clause within Article VI of the U.S. Constitution,” explains Simberkoff, “ensures that if a conflict exists between federal and state law, the federal law would prevail. However, states might create additional laws that give their citizens more rights, so long as their laws did not conflict with the overarching federal government’s legislation.”

This is the preferred way forward for Bhargava. “A combination of federal laws, which act as a base, and state laws, which add on stricter requirements, would be an ideal combination to aim toward,” he told SecurityWeek. “While base level federal requirements would be very useful, state-level laws allow for states to adopt additional, stricter measures to protect individuals’ data and hold data controllers/processors accountable. This applies both to companies that house data in a particular state as well as affected individuals that live in a particular state.”

But there remains one organization that can never be ignored where standards and regulations are concerned: NIST. NIST is already working on a voluntary Framework for Online Privacy; and what starts as voluntary in NIST often gets incorporated into legislation.

In a blogposted last week, NIST senior privacy policy advisor Naomi Lefkovitz talks about the project. She shows some awareness of consumer concerns. “People can be unhappy with how much of their information is being collected or be stigmatized or experience other problems even when they’ve authorized the information to be disclosed. These problems can cause people direct emotional distress as well as causing them to limit or abandon their use of beneficial products and services due to lack of trust.”

She describes the purpose of the project as “to collaboratively develop the Privacy Framework as a voluntary, enterprise-level tool that could provide a catalog of privacy outcomes and approaches to help organizations prioritize strategies that create flexible, effective privacy protection solutions and that let individuals enjoy the benefits of innovative technologies with greater confidence and trust.”

But NIST, it should be remembered, is an agency of the United States Department of Commerce. Its primary purpose is to promote innovation in commerce. It is not a consumer organization.

Whether the federal government develops a federal data protection and privacy law, kicks it over to NIST, or leaves legislation up the individual states, it looks like the battle for privacy in the United States is probably just beginning.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.